ID. Date of interview 
date 42/92/20 


ID. Time interview started 
Start 11:48:36 


ID.end Completion date of interview 
Date 42/02/20 


ID.end Time interview ended 
12:07:39 


ID. Duration of interview 
time 4905 


new Case 


ICO consultation on the draft right of access 
guidance 


Q1 


Does the draft guidance cover the relevant issues about the right of access? 
© Yes 
©) No 

©) Unsure / don't know 

If no or unsure/don’t know, what other issues would you like to be covered in it? 


Q2 


Does the draft guidance contain the right level of detail? 


© Yes 
©) No 

©) Unsure / don't know 

If no or unsure/don't know, in what areas should there be more detail within the draft 
guidance? 


Q3 


Does the draft guidance contain enough examples? 
O) Yes 
© No 
©) Unsure / don't know 


If no or unsure/don’t know, please provide any examples that think should be included in 
the draft guidance. 


Examples or further clarification suggestions: * requests including confidential references * requests that 
include negotiations e.g. in an employee disciplinary case. e requests where there is likely to be a lot of 
third-party data to be redacted e.g. HR employee relation cases. e CCTV requests / how best to meet 
both the data subject and other individuals’ rights. * Clarification on when emails sent by a data subject 
would become personal data, if the contents of the email were not personal data. Requests are often 
received for copies of all emails sent to and by the data subject. 


Q4 


We have found that data protection professionals often struggle with applying and 
defining ‘manifestly 

unfounded or excessive’ subject access requests. We would like to include a wide 

range of examples 

from a variety of sectors to help you. Please provide some examples of manifestly 
unfounded and excessive 

requests below (if applicable). 


As a DPO shared service we are finding it difficult to understand when these may 
apply. We appreciate each case is different, however feel it would be extremely 
beneficial to have some more realistic examples available for reference. Examples 
of manifestly unfounded or excessive we have applied: Data Subject who made a 
repeated request for information that did not exist. Requests made under 
complaints, via FOISA and GDPR that we were deemed to be causing harassment 
and not for the purpose of confirming processing of data was lawful. Refused as 
manifestly unfounded for causing disruption to the organisation repeatedly for 
information that did not exist. Decision made based on ICO helpline advice. 
Example of where we considered a request could potentially be manifestly 
unfounded and the ICO did not agree: Data Subject made repeated request for 
information, previously refused in order to protect third party data and due to Police 
investigation. Data subject writing to the organisation daily, to different staff 
accusing staff of deliberately editing data being provided to the Police. Example of 
request where consideration was made to potentially applying manifestly unfounded 
or excessive: Employee requests all data, including all emails in relation to them. 
Number of emails returned was vast, with an estimated cost > £7000 to review and 
redact third party data - we considered this may be potentially excessive. Same 
data subject was also targeting specific staff members, therefore we were also 
exploring manifestly unfounded. None of these were applied in the end due to the 
data subject changing the request 


Q5 Ona scale of 1-5 how useful is the draft guidance? 


Moderately 4 — Very 
useful useful 


1-Notatall 2 — Slightly 
useful useful 


5 — Extremely 
useful 


Q6 


Why have you given this score? 
We found that the guidance was clear and understandable, allowing us to direct 


other staff to access and use it easily. Benefits of being understandable also for data 
subjects as it can be helpful for them to understand what organisations are working 
to. 


Q7 To what extent do you agree that the draft guidance is clear and easy to understand? 
Strongly Neither agree Strongly 
disagree Disagree nor disagree Agree agree 


© ©) 


Q8 


Q9 


Please provide any further comments or suggestions you may have about the draft 
guidance. 


Are you answering as: 

( D An individual acting in a private capacity (eg someone providing their views as a member of the public) 
C) An individual acting in a professional capacity 

© On behalf of an organisation 

() Other 

Please specify the name of your organisation: 

HEFESTIS Ltd 

What sector are you from: 

Higher and Further Education (DPO Shared Service) 


Q10 How did you find out about this survey? 
©) ICO Twitter account 
(|) ICO Facebook account 
©) ICO LinkedIn account 
© ICO website 
©) ICO newsletter 
C) ICO staff member 
C) Colleague 
©) Personal/work Twitter account 
(`) Personal/work Facebook account 
() Personal/work LinkedIn account 
O Other 
If other please specify: 


